# Wallet Security

##                                 Validator permission grants

To enhance security and eliminate the need to store the validator wallet private keys on the server, an intermediate address can be used. This intermediate address is granted the necessary permissions to withdraw rewards and commissions, as well as to vote on behalf of the validator. Below is a detailed description of the process and an explanation of all parameters and commands involved:

**Description**

The objective is to delegate specific operational tasks of a validator to a grantee (intermediate address) by granting them necessary permissions. This setup ensures that the <mark style="color:green;">**validator's private keys are not stored on the server**</mark>, thereby improving security. The grantee will be authorized to:

1. `Withdraw delegator rewards.`
2. `Withdraw validator commissions and rewards.`
3. `Vote on governance proposals.`

**Parameters**

<mark style="color:purple;">**BINARY=**</mark><mark style="color:yellow;">**\<binary>**</mark>

&#x20;`Path to the binary executable of the daemon` (e.g., `$HOME/go/bin/dymd`).

<mark style="color:purple;">**GRANTEE\_ADDRESS=**</mark><mark style="color:yellow;">**\<your address>**</mark>

&#x20;`Address of the grantee (intermediate address) which will receive the permissions.`

<mark style="color:purple;">**WITHDRAW\_ADDRESS=**</mark><mark style="color:yellow;">\<destination address></mark>

&#x20;`Address to which rewards and commissions will be withdrawn.`

<mark style="color:purple;">**VALIDATOR\_ADDRESS=**</mark><mark style="color:yellow;">**\<your address>**</mark>

&#x20;`The validator's wallet address.`

<mark style="color:purple;">**VALOPER=**</mark><mark style="color:yellow;">**\<your valoper>**</mark>

&#x20;`Validator operator address.`

<mark style="color:purple;">**FEES=**</mark><mark style="color:yellow;">**\<fees>**</mark>

&#x20;`Transaction fee` (e.g., `5000000000000000adym`).

<mark style="color:purple;">**GAS=**</mark><mark style="color:yellow;">**\<gas>**</mark>

&#x20;`Gas limit for transactions` (e.g., `350000`).

<mark style="color:purple;">**PASS=**</mark><mark style="color:yellow;">\<your password></mark>

&#x20;`Password for keyring access and sending transactions.`

{% hint style="info" %}
To grant the necessary permissions, the validator's wallet must be present in the keyring (key storage). Also grantee\`s wallet must be added to the keyring and a small amount of coins should be sent to it to cover the gas fees for future authorized transactions. After the permissions have been granted, the validator's wallet can be safely removed from the server. This ensures that the validator's private keys are no longer stored on the server, enhancing the overall security of the system.
{% endhint %}

**Commands**

1. **Set Withdraw Address**

   ```python
   yes $PASS | $BINARY tx distribution set-withdraw-addr $WITHDRAW_ADDRESS --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y
   ```

   * Sets the address where rewards will be withdrawn.
2. **Grant Authorization to Grantee**

   * Grant permission to withdraw delegator rewards:

     ```python
     yes $PASS | $BINARY tx authz grant $GRANTEE_ADDRESS generic --msg-type /cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y
     ```
   * Grant permission to withdraw validator commissions:

     ```bash
     yes $PASS | $BINARY tx authz grant $GRANTEE_ADDRESS generic --msg-type /cosmos.distribution.v1beta1.MsgWithdrawValidatorCommission --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y
     ```
   * Grant permission to vote on governance proposals:

     ```
     yes $PASS | $BINARY tx authz grant $GRANTEE_ADDRESS generic --msg-type=/cosmos.gov.v1.MsgVote --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y
     ```

   <div data-gb-custom-block data-tag="hint" data-style="success" class="hint hint-success"><p><mark style="color:green;">Now we can safely delete our Validator Wallet from this server.</mark> <mark style="color:purple;"><strong>VALIDATOR_ADDRESS</strong></mark></p></div>
3. **Execute Authorized Transactions**
   * Withdraw validator commission and rewards:

     ```bash
     yes $PASS | $BINARY tx authz exec <($BINARY tx distribution withdraw-rewards $VALOPER --commission --from $VALIDATOR_ADDRESS --generate-only) --from $GRANTEE_ADDRESS --fees $FEES --gas $GAS -y
     ```

     * Executes the withdrawal of validator commission and rewards using the granted authorization.
   * Vote on a governance proposal:

     ```bash
     yes $PASS | $BINARY tx authz exec <($BINARY tx gov vote $PROPOSAL_ID $VOTE_OPTION --from $VALIDATOR_ADDRESS --generate-only) --from $GRANTEE_ADDRESS --fees $FEES --gas $GAS -y
     ```

     * Executes a governance vote using the granted authorization. Ensure to replace `$PROPOSAL_ID` with the proposal ID and `$VOTE_OPTION` with the vote option.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://stavr-team.gitbook.io/nodes-guides/wallet-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.